Parameters - My personal credentials - Issue

Hello,

Would you be able to give more information so we can understand the issue better:

• What kind of entry are you using, and how is it configured? Screenshots can help (with sensitive information blurred out)
• What is your powershell script like?
• What version of RDM are you using?

Regards,

Basically a quick LAPS script to retrieve the password for the host..

If I replace $PARAMETER1$ with the host's name the script works fine, but attempting to use $PARAMETER1$ or $HOST$ doesn't retrieve the password. Running on 2021.2.22.0 x64

Hello,

From what I can tell you're using the "custom" credential as a My Personal Credential for an entry, for example an RDP. I've configured this as a proof of concept test:

My Personal Credential:


Take note of the $HOST$ variable being between quotes. This could potentially be your issue, as once resolved by RDM (and not Powershell), in your case the host won't be between quotes and the script will error out.
When I test with this credential, RDP uses its host as the username, which is the expected behavior.

I also noticed that using $PARAMETER1$ and having a variable in the parameter won't work. I've opened a ticket for this but I would still like confirmation if the $HOST$ variable used directly works for you.

Let me know if I'm off with your scenario or if this doesn't achieve what you need.

Regards,

When I tried what you posted I get

ccomputername\System.Management.Automation.Internal.Host.InternalHost$ as the log on name.

I cant take a screenshot since it is in the UAC elevated window..

From a quick google search this is the result of powershell running the command "get-host" or $host

https://renenyffenegger.ch/notes/Windows/PowerShell/command-inventory/noun/host/get/index

Note: "computername" above is the real host name, but I think that is only getting there because I have override domain set to "use hostname"

Looking in the log, I can see the user name being used.. It appears the second $ is being left there, as when I tried to not use quotes the only thing left is a single $. The same thing happens in powershell when I try "$host$"

Hello,

In this case, $HOST$ is a variable used by RDM, which means it should be resolved before executing the Powershell script. Basically the Powershell script should never receive $HOST$ as-is, it should match the host of the entry that is using the credential.

What entry type in RDM are you using this credential with? Maybe this is core to figuring out why the $HOST$ variable isn't resolving as intended. Is it an RDP, SSH Shell, etc?

Regards,

RDP (Microsoft Remote Desktop) - Configured.. I am guessing this is what you are asking?

I got it working somehow, I think it was a combination of things.. but i changed $host$ to $HOST$ and messed with the strings of where I was pulling the password from

$Host = Get-AdmPwdPassword "$HOST$";
$password = $Host.Password;
$Result.Username = "LAPSUSERNAME";
$Result.Password = $password;

Side note, I started with the script listed here, but it wasn't working.. So I figured I would break it down in its simplest form and it still wasn't working.. Only to find out the $PARAMETER1$ issue was the issue the whole time.. I changed $PARAMETER1$ to "$HOST$" and now that original script works.. Thanks for the help!

Hello,

I'm glad you found a solution to your issue! As I mentioned previously I've opened a ticket so we can fix the issue with the $PARAMETER_$ variables, but for now I recommend either putting the variable directly in the script, or only using the parameter variables for hardcoded values that don't need further resolving.

Regards,

New question, same issue kinda.. Can I have multiple "my custom credentials" custom scripts?

We have multiple forests and need to manage LAPS in the separate forest (DMZ). I can query from one forest to the other with PowerShell.. I guess I can make something in the custom script to see what domain the user running RDM as (local or DMZ) and then the query would run based on that info.. if that makes any sense.

I might be able to modify this script to what I need, I am not sure how RDM will react, but i figure as the return variables are correct should work..

https://thesleepyadmins.com/2021/02/06/checking-laps-password-cross-forest-using-powershell/

Hello,

We currently have plans to add an additional "my personal credentials" (actually "my privileged account") which will act in a similar way, but I'm not sure if we're keen on adding more, or a list. Generally we recommend using the User Vault to store different credentials if you require multiple ones that are unique to your user, or the Password List type since it can hold multiple credentials.

As you mention regarding the script, as long as the $result.Username, $result.Domain and $result.Password variables are set in the script, it should work correctly.

Regards,